Results 1 to 3 of 3
  1. #1
    Join Date
    May 2006
    Posts
    1,398

    Extracting the ips from exim_rejectlog

    Im trying to figure out how to pull ips from exim_rejectlog so I can write them to the firewall deny file. I got a client under a serious spam attack for over 2 weeks now, worst I ever seen. I guess someone went out and submitted his domains or emails at different spam me places and now we are getting incoming emails like 10-20 per second non stop.

    We have got the email server rejecting perfectly, very little gets through. Actually only the legit spam, the kind sent from legit servers with no reason for exim to block it, not blacklisted or anything- the emails have unsubscribe links and all.

    But we need to get the flow of spam down, even though it is getting blocked our log files get huge in no time. The client recently had to pay overages on dnsmadeeasy for so many queries, we moved the dns to softlayer.

    So now we want to start banning all ips that send mail that gets rejected in case it is the same servers spamming him over and over.

    To cut the ips out, it takes f4 and f5 like:

    tail -f exim_rejectlog > badips

    cut -f4 -d' ' badips

    Then it will show ips for some and some the hostname so I guess its not gonna work to do that.
    example (these are all spam ips, blackllisted or otherwise so no innocent persons ip is posted here)

    Code:
    [email protected] [/var/log]# cut -f4 -d' ' badips
    [187.11.192.214]
    (mail.flewid.net)
    [63.247.74.226]
    [212.38.114.28]
    [130.73.108.11]
    [130.73.108.11]
    [201.233.13.192]
    [201.233.13.192]
    [187.44.131.201]
    (phmexch01.PHM.local)
    [62.149.35.16]
    [89.211.53.195]
    [89.211.53.195]
    [189.107.46.191]
    [187.44.131.201]
    [189.106.158.125]
    [64.91.254.149]
    (server.adultcustomgoods.com)
    [147.97.234.35]
    (linux.dnvietnam.com)
    [210.242.11.254]
    [200.90.147.55]
    [200.90.147.55]
    (clusterlerss.lerss.fr)
    [201.74.26.170]
    [200.58.166.164]
    As you see it is mostly ips but some hostnames so those cannot be added to csf.deny. So I need just the ips and NOT the [] chars or hostname.

    here is a sample log excerpt
    Code:
    2009-06-27 18:56:22 H=mx10.sea2.classmates.com [65.243.133.20] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:29 H=(PABLSZBC) [200.76.193.26] rejected MAIL <[email protected]>: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
    2009-06-27 18:56:29 H=mail.alkar.net [195.248.191.95] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:32 H=ms1.mail-filter.nifty.com (trmail544.nifty.com) [202.248.236.206] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:34 H=(Dynamic-IP-1868366224.cable.net.co) [186.83.66.224] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (Dynamic-IP-1868366224.cable.net.co) [186.83.66.224] is in an RBL, see http://www.spamhaus.org/query/bl?ip=186.83.66.224"
    2009-06-27 18:56:38 H=95-91-210-223-dynip.superkabel.de [95.91.210.223] temporarily rejected connection in "connect" ACL: "Host is ratelimited (1.2/1h max:1.2)"
    2009-06-27 18:56:38 H=(Dynamic-IP-1868366224.cable.net.co) [186.83.66.224] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (Dynamic-IP-1868366224.cable.net.co) [186.83.66.224] is in an RBL, see http://www.spamhaus.org/query/bl?ip=186.83.66.224"
    2009-06-27 18:56:39 H=suse.kitusa.net [63.245.131.244] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:41 H=bte.16sv.org [202.131.199.16] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:42 H=(quark.net4u.it) [87.250.74.6] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:44 H=smtp.firstaid.co.nz (esnmail01.alsco.co.nz) [210.54.249.60] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:45 H=stuntdog.nitric.co.za [65.19.178.21] F=<> rejected RCPT <[email protected]>: no such address here
    2009-06-27 18:56:45 H=(184.53.169.200.univali.br) [200.169.53.184] F=<[email protected]> rejected RCPT <[email protected]>: "JunkMail rejected - (184.53.169.200.univali.br) [200.169.53.184] is in an RBL, see http://www.spamhaus.org/query/bl?ip=200.169.53.184"
    2009-06-27 18:56:45 H=vps3.artematico.net (arteinformatico.net) [91.142.209.143] F=<> rejected RCPT <[email protected]>: no such address here
    any help would be appreciated

  2. #2
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    I would use something like sed or even "replace" to strip out the [].

    Are you sure CSF won't allow for hostnames? We primary use APF but I though that it would take them fine, though it adds a little bit of overhead to have to resolve them while you are restarting it.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  3. #3
    Join Date
    May 2006
    Posts
    1,398
    ya csf will say like
    [server.adultcustomgoods.com] is not a valid IP/CIDR

    Would you happen to know a sed or replace command to do that?

    I will be working on it but if you can think of one Id appreciate it

Similar Threads

  1. Problem extracting attachments
    By zoomx in forum Hosting Security and Technology
    Replies: 1
    Last Post: 09-04-2005, 08:14 PM
  2. Extracting .tar
    By openXS in forum Dedicated Server
    Replies: 4
    Last Post: 08-26-2005, 10:34 AM
  3. Extracting!
    By openXS in forum Dedicated Server
    Replies: 4
    Last Post: 07-30-2004, 08:34 AM
  4. Extracting DSN Properties with ASP
    By TheGAME1264 in forum Programming Discussion
    Replies: 4
    Last Post: 01-20-2003, 11:05 PM
  5. Extracting .bin files?
    By dallassmith in forum Dedicated Server
    Replies: 5
    Last Post: 08-25-2002, 05:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •